Page 1 of 1
ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 10:28 am
by tandrot8
Hello everyone!
I would like to know if someone here tried to configure/run ProtonVPN on Mikrotik routers.
According to ProtonVPN team it is not possible because most of Mikrotik routers support only PPTP connection protocol, which is not supported by ProtonVPN.
Have a great day!
Thank you.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 10:57 am
by normis
That's just wrong. They say on their website:
We use only VPN protocols which are known to be secure - IKEv2/IPSec
RouterOS does support that:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 12:13 pm
by tandrot8
@normis: I agree with you. I will send to ProtonVPN's Team the link that you posted.
Normis, can you/we test to see how it works and what problems can arise, if they occur?
Thank you for your answer.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 12:26 pm
by mrz
By looking at this example:
https://protonvpn.com/support/linux-ikev2-protonvpn/
it is very similar to nordvpn config, so you can use NordVPN RouterOS setup example as a reference:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 12:43 pm
by tandrot8
Thank you mrz. I'll read the links you posted and test it.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 1:02 pm
by tandrot8
Hi @normis,
Hi @mrz,
I'm posting the answer that I received from ProtonVPN:
We use only the highest strength encryption to protect your Internet connection. This means all your network traffic is encrypted with AES-256, key exchange is done with 4096-bit RSA, and HMAC with SHA384 is used for message authentication.
We have carefully selected our encryption cipher suites to only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, we generate a new encryption key, so a key is never used for more than one session.
We use only VPN protocols which are known to be secure - IKEv2/IPSec and OpenVPN. ProtonVPN does not have any servers that support PPTP and L2TP/IPSec, even though they are less costly to operate. By using ProtonVPN, you can be confident that your VPN tunnel is protected by the most reliable protocol.
For more information, please refer to the following page:
https://protonvpn.com/secure-vpn
Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
Please do not hesitate to contact us again if any additional information or assistance is needed.
Regards,
[Removed the name of the person that answered]
ProtonVPN.com
Thank you.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 1:06 pm
by normis
Sad to see that such a reputable company has no understanding of their own products
MikroTik doesn't force anyone to use legacy insecure PPTP. We support IPsec. You can tell them that, looks like it's news for them.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 1:11 pm
by tandrot8
Normis,
Maybe they do not know how to configure Mikrotik routers
, although I doubt it.
I already sent them a message with the links that you and mrz posted as a reply to my questions.
I will test on a Mikrotik router that I have and I will write, maybe, a tutorial on how to do it.
Thank you.
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 1:23 pm
by mrz
Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
BTW OVPN is also supported, maybe they require some specific OVPN feature?
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 1:51 pm
by tandrot8
Maybe. However, below is the content of one of their config files:
client
dev tun
proto udp
remote server-name1 port1
remote server-name2 port2
remote server-name3 port3
remote server-name4 port4
remote server-name5 port5
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass
pull
fast-io
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
<ca>
-----BEGIN CERTIFICATE-----
[removed certificate]
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
[removed key]
-----END OpenVPN Static key V1-----
</tls-auth>
Maybe you can spot some OVPN feature that is not yet implemented in ROS, although I doubt it.
Thank you
Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
BTW OVPN is also supported, maybe they require some specific OVPN feature?
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 2:12 pm
by mrz
SHA512 is not supported and UDP is supported only in ROS v7
Re: ProtonVPN on Mikrotik
Posted: Mon Mar 02, 2020 6:22 pm
by tandrot8
mrz,
You can connect using tcp protocol, but if they use in the config file the SHA512 then it's the same story.
However, if the SHA512 and UDP is not available in the current version of ROS and only in the v7 then in theory they are right.
Please correct me if I'm wrong.
Re: ProtonVPN on Mikrotik
Posted: Fri May 01, 2020 8:03 pm
by newbeen
Hello Guys,
I got this to work using the nordsvpn guide, initial I got:
ipsec payload seen: NOTIFY (8 bytes)
ipsec first payload is NOTIFY
ipsec processing payloads: NOTIFY
ipsec notify: NO_PROPOSAL_CHOSEN
ipsec peer replied: NO_PROPOSAL_CHOSEN
But after a small tweak I got this to work.
[admin@rg] /ip ipsec proposal>> /ip ipsec mode-config print
Flags: * - default, R - responder
1 name="ProtonVPN" responder=no connection-mark=ProtonVPN
[admin@rg] /ip ipsec proposal>> /ip ipsec profile print
1 name="ProtonVPN" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp4096,modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd
[admin@rg] /ip ipsec proposal>> /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="ProtonVPN" address=x.x.x.x/32 profile=ProtonVPN exchange-mode=ike2 send-initial-contact=yes
[admin@rg] /ip ipsec proposal>> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
1 DA ProtonVPN yes x.x.x.x/32 0.0.0.0/0 all encrypt unique 1
[admin@rg] /ip ipsec proposal>> /ip ipsec proposal print
Flags: X - disabled, * - default
1 name="ProtonVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none
Then was a bit of a fight in till Disney+ was working, static DNS for the rescue on that one
Re: ProtonVPN on Mikrotik
Posted: Sun May 03, 2020 11:00 pm
by Baikan4ik
Hello. Could you upload your config for protonvpn? With NordVpn no troubles. But with proton...even with your tricks. Trying to connect, for several seconds active peer appear and disappear with eap error
Re: ProtonVPN on Mikrotik
Posted: Thu May 07, 2020 8:15 pm
by newbeen
Hello,
This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
Re: ProtonVPN on Mikrotik
Posted: Thu May 07, 2020 9:02 pm
by Baikan4ik
thank you very much) Are you sure that only paid? Because from official site I can download configs fo free using like Free USA and Free Netherland
Re: ProtonVPN on Mikrotik
Posted: Thu May 21, 2020 10:21 am
by sigmasquared
I'm trying this, but I'm getting "EAP Failed" in logs, have I missed a step somewhere?
Hello,
This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
Re: ProtonVPN on Mikrotik
Posted: Sun Jun 28, 2020 1:16 am
by dave864
I get
Can't verify peers certificate from store
Peer failed to authorise
Any ideas?
Re: ProtonVPN on Mikrotik
Posted: Sun Jun 28, 2020 12:05 pm
by sindy
Any ideas?
Have you imported the root CA certificate, using which the server's certificate is signed, to the Mikrotik?
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 12:00 am
by dave864
Well what da-ya know?!?!?
I did it!!!!
Thanks Sindy. I had not done that part.
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
substitute for ProtonVPN, got an address (free server) in Netherlands
got my IKE details from my ProtonVPN account
Got cert from:
https://protonvpn.com/download/ProtonVPN_ike_root.der
/tool fetch url="
https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der
Thanks to newbean for using his code. Think it's the same as the wiki. Not sure. If different then I may have mixed both sources up. Anyone stuck on this then drop me an IM and I'll post the code
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 12:23 am
by dave864
The free server is a bit funky.
I get some web pages working fine, Google webpage/search doesn't work at all. DNS does though although I use 8.8.8.8 and 1.1.1.1 so no idea if my dns switched provider.
This issue might be my config and not related to the free server.
Anyway, speedtest net mobile app ran at 2mbs down then failed the upload. After that, web pages started to fail for a few minutes.
I also got a strange leak, temporarily, as whatismyip changed back to UK. Maybe it was a cached result I don't know (one result only and occurred after the tunnel fail/stall - and I think the tunnel did drop for a moment and hence the reason for speedtest fail).
In the end I did get consistent NL ip addresses.
Will test some more
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 9:09 am
by sindy
As for the leaks, you have to make sure that while the VPN is down for any reason, packets are not routed the normal way via WAN. But because IPsec policy matching, and eventual packet redirection to the IPsec SA, requires that the packets were routed the normal way first, you need that the normal routing always sends them somewhere. The simplest way to achieve this is to add an /interface bridge without any member interfaces, and make it the gateway of the default route in a dedicated routing table for traffic which should only go via the VPN. Marking packets to use a specific routing table is called policy routing throughout Mikrotik documentation and it has nothing to do with IPsec policies. It is also possible to change the gateway of the default route in the main routing table and add dedicated routes towards the VPN server itself that use the default gateway, but with a DHCP client on WAN, this way is more complex than use of policy routing.
As for some sites working weird or not at all, there is the issue with path MTU discovery. When a packet sent by your PC is too large to fit to the WAN interface after getting wrapped into the IPsec headers and footers, the Mikrotik sends back an ICMP "fragmentation needed" message and the PC sends a smaller slice of the byte stream from the output buffer. But as the source address of that ICMP packet is Mikrotik's own one in the subnet where the PC is, and as the destination address of the IPsec policy is "anywhere", these packets are also redirected to the SA. Hence you have to place a static action=none src-address=0.0.0.0/0 dst-address=your.lan.sub.net/mask row into the /ip ipsec policy table before (above) the template from which the actual policy is generated when the IKEv2 connection establishes. The IPsec policy matching is done the same way like firewall rule matching, top to bottom until first match, so this added policy prevents packets sent by the router itself to its LAN clients from being redirected.
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 11:25 pm
by dave864
Hi Sindy,
Your second point about IPsec and mtu. I am confused.
I understand the mtu and your reasons but not sure how to solve it with the additional rule. Is that a firewall rule or something I setup in NAT or IPSEC?
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 11:48 pm
by dave864
My IPsec policy is a template.
Are you saying I create the exact same thing but set it as not a template and set action to none?
I don't understand that. You're suggesting that the ICMP packets are incorrectly being pushed through the tunnel instead of back to the lan
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 11:48 pm
by sindy
I understand the mtu and your reasons but not sure how to solve it with the additional rule. Is that a firewall rule or something I setup in NAT or IPSEC?
As I wrote, it is an IPsec policy, i.e. a row (or rule if you want) in the
/ip ipsec policy table.
There are two types of rows in this table - actual policies and templates. The templates are used to create actual policies dynamically if
/ip ipsec identity row permit this (and refers to a policy template group); the dynamically created policies appear after (below) the template from which they were created. So once you have the connection up, add the policy described above (an actual policy, not a template) and drag it above the template from which the dynamic policy has been created. As it is created manually, it survives a disconnection and re-connection of the IKEv2 session.
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 11:57 pm
by sindy
I don't understand that. You're suggesting that the ICMP packets are incorrectly being pushed through the tunnel instead of back to the lan
Not all ICMP packets. Only those sent by the Tik itself to the LAN clients, because the source address of these packets is from the LAN subnet, which you src-nat to the IP address assigned by the remote IPsec responder (server) by means of mode-config. So another possible remedy is to populate the
address-list to which your
mode-config row refers so that it would not contain the LAN IP of the Mikrotik itself.
Re: ProtonVPN on Mikrotik
Posted: Fri Jul 03, 2020 11:59 pm
by dave864
Tunnel = un-ticked
Source = 0.0.0.0/0
Dest = 192.168.50.0/24
protocol = 255(all)
Template = un-ticked
Action = none
Level = require
IPsec Proto = esp
Proposal = ProtonVPNproposal or should this be default?
Re: ProtonVPN on Mikrotik
Posted: Sat Jul 04, 2020 12:02 am
by sindy
Proposal = ProtonVPNproposal or should this be default?
For
action=none, a
proposal value is irrelevant. So if you cannot suppress it, use any value.
Re: ProtonVPN on Mikrotik
Posted: Sat Jul 04, 2020 12:07 am
by dave864
Hey, that works.
Web pages are going through better and google now works.
Thanks - very much appreciated
Just ran speed tests to the free ProtonVPN in NL and it is doing 20mbs both ways. vast improvement
Re: ProtonVPN on Mikrotik
Posted: Sat Aug 01, 2020 9:35 am
by vaskos
I have managed to setup Proton VPN on Mikrotik according this thread, its working , but the connection drops approximately every 4 hours. There is no error, even if I enable ipsec debug log...
does anyone have a similar experience?
Image 2.png
Re: ProtonVPN on Mikrotik
Posted: Sat Aug 01, 2020 4:24 pm
by MikroPlan
Hello,
This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.
# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
I've entered the setup and have a connection to the Proton server -
[admin@MikroTik] > /ip ipsec active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 N 37.120.215.244 established 3h14m11s 1 37.120.215.244
I want to send all my LAN(192.168.88.0/24) traffic over the VPN, so I entered the following from the Mikrotik Nord VPN example -
/ip firewall address-list add address=10.5.8.0/24 list=local
/ip ipsec mode-config set [ find name=ProtonVPN ] src-address-list=local
The NAT rule is shown as -
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.1.11.227 src-address-list=local dst-address-list=!local connection-mark=ProtonVPN
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
No LAN traffic is passing over the active VPN connection, what have I done wrong? Here is an image of my firewall rules -
Re: ProtonVPN on Mikrotik
Posted: Sat Aug 01, 2020 7:11 pm
by sindy
From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.
You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 04, 2020 2:28 pm
by MikroPlan
From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.
You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -
# aug/04/2020 12:19:10 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=58:3F:1A:22:16:1C auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=pass use-peer-dns=yes user=myuser
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=no-mark name=ProtonVPN responder=no src-address-list=\
local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.5.8.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=ProtonVPN password=vpnpass peer=\
ProtonVPN policy-template-group=ProtonVPN username=\
vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 04, 2020 2:35 pm
by msatter
If using connection-mark then you still have to mark traffic in Mangle.
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 04, 2020 2:54 pm
by MikroPlan
If using connection-mark then you still have to mark traffic in Mangle.
The previous post suggested I unset the connection mark, it would be simplest if someone posted their working config including mangle rules etc.
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 04, 2020 6:08 pm
by kams19
If using connection-mark then you still have to mark traffic in Mangle.
The previous post suggested I unset the connection mark, it would be simplest if someone posted their working config including mangle rules etc.
I think you need to look at the link below to understand what needs to be sent via the tunnel - option 2 talks about MANGLE.. you need to do that for this to work
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 04, 2020 7:11 pm
by msatter
That suggesting was made to detect an error easier by having only one point of failure. Then you posted your config where looked for connection-marking in Mangle and found none.
The Wiki page linked to by Kams19 explains it in detail.
Re: ProtonVPN on Mikrotik
Posted: Thu Aug 06, 2020 1:14 am
by yivanov
Is it possible for someone to write from A to Z how to set the VPN?
Thanks
Re: ProtonVPN on Mikrotik
Posted: Thu Aug 06, 2020 2:01 pm
by Vargas
Hello,
Issueing exactly the same commands posted by newbeen (with username and password adapted) the tunnel doesn't come up (ipsec active-peers table stays empty).
Is a particular version required (we use the latest LTS, 6.45.9)? Are additional packages needed (we only have basics, with hotspot, ipv6, mpls, ppp and routing disabled)? How can we access to a log (nothing appears on /log except for the audit of the configuration beeing issued) or even better a debug?
We are stuck ont the first part, establishing an IPSEC IKE v.2 tunnel; we aren't yet even facing the aspect of selecting which traffic to route towards the tunnel.
Thank you very much for your help.
A.V.
Re: ProtonVPN on Mikrotik
Posted: Thu Aug 06, 2020 2:07 pm
by normis
Vargas, email support with your config file (supout.rif).
as to ProtonVPN, the config should be nearly identical to NordVPN guide here:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
also, enable more ipsec logs like this:
/system logging add topics=ipsec,!packet
Re: ProtonVPN on Mikrotik
Posted: Thu Aug 06, 2020 11:34 pm
by MikroPlan
From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.
You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -
OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -
# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=ProtonVPN password=vpnpass peer=\
ProtonVPN policy-template-group=ProtonVPN username=\
vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first).
Re: ProtonVPN on Mikrotik
Posted: Thu Aug 13, 2020 7:02 pm
by Vargas
Vargas, email support with your config file (supout.rif).
as to ProtonVPN, the config should be nearly identical to NordVPN guide here:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
also, enable more ipsec logs like this:
/system logging add topics=ipsec,!packet
Thank you very much for your availability.
I finally succeeded in establishing the tunnel (I forgot to add a rule to receive IKE replies on the INPUT chain of IPTABLES.
Now I will just follow the posted advices to understand how to select the traffic to encapsulate (through static routes or through iptables).
Thanks again.
A.V.
Re: ProtonVPN on Mikrotik
Posted: Mon Aug 17, 2020 9:16 am
by dave864
From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.
You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -
OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -
# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=ProtonVPN password=vpnpass peer=\
ProtonVPN policy-template-group=ProtonVPN username=\
vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first).
Just like to point out the extra policy that Sindy noted near the beginning of this thread. It might solve your packet issues and resolve the mss issue
Re: ProtonVPN on Mikrotik
Posted: Tue Aug 25, 2020 6:27 pm
by xbliss
I am kinda new to Mikrotik, so would appreciate if you've got this figured & fixed to post a little How To/ Tutorial/ Or key steps (maybe leverage an existing How To w some changes)?
From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.
You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -
OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -
# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=ProtonVPN password=vpnpass peer=\
ProtonVPN policy-template-group=ProtonVPN username=\
vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first). :?
Just like to point out the extra policy that Sindy noted near the beginning of this thread. It might solve your packet issues and resolve the mss issue
Re: ProtonVPN on Mikrotik
Posted: Tue Dec 22, 2020 3:36 am
by roxanaschram
Not sure if it's any help to you guys but SurfShark has a full on guide to setting up IKEv2 VPNs on their site, only issue I found was using the servers dns name drops every 5-10 seconds, but using the Ip address of that server works flawlessly. I'm getting around 250mbps between USA and Iceland, about 150mbps between USA and their multihops...
https://support.surfshark.com/hc/en-us/ ... with-IKEv2
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 1:42 am
by menace
hey getting a EAP error a little help please
from my log and setuo
ipsec, info new ike2 SA (I): 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615
ipsec, info, account peer authorized: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615
ipsec, error EAP failed:
ipsec, info killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 disabled=yes exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=1337 peer=ProtonVPN policy-template-group=ProtonVPN username=flynn
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 7:47 am
by sindy
Have you imported Proton's root CA certificate to the Mikrotik?
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 10:42 am
by menace
Have you imported Proton's root CA certificate to the Mikrotik?
Yes I have
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 10:54 am
by sindy
OK. So first, confirm you have changed the password and/or username on the
/ip ipsec identity row before posting the export; if you haven't, change the password at your Proton account (and update it in the identity on the Mikrotik).
Second, do the following:
- disable the peer or identity representing the Proton VPN
- issue a command /system logging add topics=ipsec,!packet
- issue a command /log print follow-only file=ipsec-start where topics~"ipsec"
- enable the peer or identity you have disabled in step 1
- after 5 seconds, break the /log print ... command from step 3, download the file ipsec-start.txt and open it in your favourite text editor
- find the EAP failed line and see what's next, there should be some details on the failure.
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 4:57 pm
by menace
done, log here
15:43:49 ipsec processing payload: ENC
15:43:49 ipsec,debug => iv (size 0x10)
15:43:49 ipsec,debug ed799a32 6cf36989 5c95bb03 cabe0eb6
15:43:49 ipsec,debug => decrypted and trimmed payload (size 0x8)
15:43:49 ipsec,debug 00000008 04020004
15:43:49 ipsec,debug decrypted packet
15:43:49 ipsec payload seen: EAP (8 bytes)
15:43:49 ipsec processing payloads: NOTIFY (none found)
15:43:49 ipsec processing payload: EAP
15:43:49 ipsec,error EAP failed:
15:43:49 ipsec,info killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:383cf41632d912ef:06f704beb94edb5d
15:43:49 ipsec KA remove: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500]
15:43:49 ipsec,debug KA tree dump: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500] (in_use=1)
15:43:49 ipsec,debug KA removing this one...
do you need more of the log??
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 5:10 pm
by sindy
The colon after "EAP failed" was promising, but as the log shows it was a notification from the server side, it is unlikely the log will shed more light on the reason of the failure. However, if you are absolutely sure that the username and loging are correct (e. g., do they use the same credentials for account management via web and for the VPN authentication?), do post the complete log, I dn't completely exclude that some hint can be found there.
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 5:47 pm
by menace
Yes 100% sure of my credentials are entered correctly
no, account management and vpn credentials are diffrent
over 1600 lines of log here
https://pastebin.com/QqTnwQbr
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 5:55 pm
by sindy
OK, I've missed that on your /ip ipsec identity row.
Remove the certificate item from there. The Proton's root CA certificate you have imported is used by your Mikrotik to verify validity of the certificate provided by the responder ("server") to authenticate itself to you. Your Mikrotik uses username and password, not certificate, to authenticate itself to the responder. By configuring a certificate, you tell it to use it instead, which confuses the responder. The fact that you've used the particular certificate for a wrong purpose is a secondary issue.
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 6:04 pm
by menace
removed certificate from identity
new log uploaded
https://pastebin.com/23dAZCzq
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 6:42 pm
by sindy
The differences to my working ProtonVPN configuration are the following:
- different ProtonVPN server used (different peer address)
- eap-methods=eap-mschapv2,eap-peap,eap-ttls
As the guy above you is successful with
eap-mschapv2 alone, I can't say which of the differences are more important. Maybe something has changed in the meantime.
Re: ProtonVPN on Mikrotik
Posted: Mon Jan 11, 2021 6:58 pm
by menace
hmm tried just for the fun of it to remove mschapv2 and added eap-peap,eap-ttls
now my log looks like this
17:49:20 ipsec <- ike2 request, exchange: AUTH:5 193.148.18.40[4500] 1d1480f532a080d8:79e854109793983f
17:49:20 ipsec,debug ===== sending 272 bytes from 89.xxx.xxx.xxx[4500] to 193.148.18.40[4500]
17:49:20 ipsec,debug 1 times of 276 bytes message will be sent to 193.148.18.40[4500]
17:49:20 ipsec,error EAP failed: handshake failed: self signed certificate
17:49:20 ipsec,info killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:1d1480f532a080d8:79e854109793983f
17:49:20 ipsec KA remove: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500]
17:49:20 ipsec,debug KA tree dump: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500] (in_use=1)
17:49:20 ipsec,debug KA removing this one...
Re: ProtonVPN on Mikrotik
Posted: Wed Jan 27, 2021 5:35 am
by 0ldy0ne
Trying to connect to Proton VPN with hAP mini, but
returns:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
As you can see - no dynamic "ipsec mode-config" NAT rule is created.
My config:
# jan/27/2021 05:24:29 by RouterOS 6.48
# software id = BZYU-I2XF
#
# model = RB931-2nD
# serial number = ***
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=ua-01.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=*** peer=ProtonVPN policy-template-group=ProtonVPN username=\
***
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
What am I doing wrong?